By Dr David Hillson, PMP, HonFAPM ©
Most of us had hoped that the debate about how to define a risk was settled. This was a “hot topic” around the turn of the century, particularly focused on the question of whether the concept of risk should include opportunity as well as threat, or whether risk was exclusively negative. The majority consensus now seems to be agreed that risk is double-sided and covers both upside and downside.
Now the issue of the ISO31000 “Risk management – Principles and guidelines” standard (published in November 2009) looks likely to reignite the definition debate, and this time the issue is equally fundamental. At first sight the definition of risk in ISO31000 appears to be clear and unambiguous, with just five words:
This contains all three vital words that any definition of risk must include.
- Risk is about uncertainty and it may never happen.
- Risk matters and must be managed because it has an effect.
- We measure that effect against defined objectives.
So far so good. But looking more closely at the ISO31000 risk definition, a problem appears. The ISO risk standard clearly states that “Risk is effect…” If we follow this approach, we would define the following as negative risks: delay, overspend, accidents, reputation damage, lost market share, inefficiency etc. On the upside we would see time or cost savings as positive risks, or enhanced performance or increased shareholder value. All of these things are effects on objectives that could arise from uncertainty.
By contrast, every other risk standard previously has defined risk in terms similar to the following:
This is completely different from the ISO31000 risk definition. The other risk standards clearly state that a negative risk is an uncertainty that would cause delay or overspend or reputation damage if it happened. An upside risk is also uncertain and its occurrence would result in time or cost savings, or improved reputation. A risk can be an uncertain event or an uncertain set of circumstances or an uncertain assumption, but the key point according to these standards is that the risk is uncertain. Of course because a risk is uncertain then it may never happen, but if it does happen then it will have an effect on objectives. But the risk is not the effect. The risk is the uncertainty that would result in an effect.
This matters because it determines the goal of risk management. If “Risk is effect…” then risk management seeks to manage those effects, and the risk process must focus on how to avoid or minimise negative impacts and how to exploit or maximise positive impacts. But if “Risk is uncertainty…” then the aim of the risk process is to address uncertain events or conditions. This means to stop negative risks from happening if possible, or at least to reduce their probability and/or impact. It also means to capture positive risks or maximise their probability and/or impact. Addressing the uncertainty leads to a more proactive approach than trying to tackle the effect.
It is also important to be clear about the risk definition in order to avoid confusion and disillusionment among teams who are trying to manage their risks. While most risk specialists will be able to cope with the variation introduced by ISO31000, others are likely to find it distracting.
One possibility is that in their search for a simple elegant definition of risk, the authors of ISO31000 have oversimplified and therefore created this confusing change. It seems unlikely that the whole world of established risk management practice will change direction to match this new definition of “Risk is the effect of uncertainty on objectives” instead of “Risk is an uncertainty that, if it occurs, will have an effect on objectives”. Instead we must hope that common sense prevails and perhaps the ISO31000 definition might change.
| STANDARD | DEFINITION OF “RISK” | ||
| “UNCERTAINTY ...” | “... THAT MATTERS” | ||
| British Standard BS6079-3:2000 (2000) | “Uncertainty inherent in plans and the possibility of something happening (i.e. a contingency) ...” | “... that can affect the prospects of achieving business or project goals.” | |
| British Standard BS IEC 62198:2001 (2001) | “Combination of the probability of an event occurring ...” | “... and its consequences on project objectives.” | |
| A Risk Management Standard (Institute of Risk Management et al, 2002) | “The combination of the probability of an event ...” | “... and its consequences.” | |
| Australian/New Zealand Standard AS/NZS 4360:2004 (2004) | “The chance of something happening ...” | “... that will have an impact on objectives.” | |
| Risk Analysis & Management for Projects [RAMP] (Institution of Civil Engineers et al, 2005) | “A possible occurrence ...” | “... which could affect (positively or negatively) the achievement of the objectives for the investment.” | |
| APM Body of Knowledge (Association for Project Management, 2006) | “An uncertain event or set of circumstances ...” | “... that should it or they occur would have an effect on achievement of one or more project objectives.” | |
| Management of Risk [M_o_R]: Guidance for Practitioners (Office of Government Commerce, 2007) | “An uncertain event or set of events ...” | “... that should it occur will have an effect on the achievement of objectives.” | |
| A Guide to the Project Management Body of Knowledge [PMBoK® Guide] (Project Management Institute, 2008) | “An uncertain event or condition ...” | “... that if it occurs has a positive or negative effect on a project’s objectives.” | |
| British Standard BS31100:2008 (2008) | “Effect of uncertainty ...” | “... on objectives.” | |
| ISO31000:2009 (2009) | “Effect of uncertainty ...” | “... on objectives.” | |
About the Author
Dr David Hillson, PMP FRSA HonFAPM FIRM FCMI, is internationally recognized as a leading thinker and practitioner in risk management. He is Director of Risk Doctor & Partners (http://www.riskdoctor.com), and has worked in over 40 countries. He is a popular conference speaker and award-winning author on risk, with six books on the topic. David is an active member of the Project Management Institute (PMI) and was a founder member of its Risk Management Specific Interest Group. He received the PMI Distinguished Contribution Award for his work in developing risk management over many years. Since 1998 he has been a core author for the risk chapter of the PMBOK Guide®, and is a core author for the PMI Practice Standard for Project Risk Management. David can be contacted at .(JavaScript must be enabled to view this email address).
Comments